4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.005 Low
EPSS
Percentile
76.0%
DISPUTED The SwarmKit toolkit 1.12.0 for Docker allows remote
authenticated users to cause a denial of service (prevention of cluster
joins) via a long sequence of join and quit actions. NOTE: the vendor
disputes this issue, stating that this sequence is not “removing the state
that is left by old nodes. At some point the manager obviously stops being
able to accept new nodes, since it runs out of memory. Given that both for
Docker swarm and for Docker Swarmkit nodes are required to provide a
secret token (it’s actually the only mode of operation), this means that no
adversary can simply join nodes and exhaust manager resources. We can’t do
anything about a manager running out of memory and not being able to add
new legitimate nodes to the system. This is merely a resource provisioning
issue, and definitely not a CVE worthy vulnerability.”
Author | Note |
---|---|
sbeattie | only in docker 0.12 |
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.005 Low
EPSS
Percentile
76.0%